On Mon, 10 Aug 2020, Brian Haberman wrote:
Hi all, During the DPRIVE session at IETF108, we discussed adopting https://datatracker.ietf.org/doc/draft-vandijk-dprive-ds-dot-signal-and-pin/ and the results were inconclusive. The chairs would like to start a 2-week call for adoption to determine the WG's interest in this work.Please respond to the mailing list with your view (positive or negative) and supporting rationale on adopting the draft. This WGLC will end on 2020-08-24 at 23:59 UTC.
I am against adoption for two reasons. The draft as it currently is, requires that domain name owners and nameserver hosting administrators synchronise their nameserver TLS keys. This is impossible to do at scale. As I suggested, TLSA records on the nameserver FQDN's avoids this problem. Second, this method introduces a possible national MITM by the TLD being able to put in TLD wide DS records that might be published against the wishes of the childen within the TLD. A protection mechanism via the child confirming the parent record with a CDS record would address this concern. I truly wish the idea would work. And I still believe a DNSKEY bit on the DNSKEY to signal encrypted DNS availability would be worth pursuing. Paul _______________________________________________ dns-privacy mailing list [email protected] https://www.ietf.org/mailman/listinfo/dns-privacy
